Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

103__Installer.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.938024130303621
Filename:	103__Installer.exe
Filesize:	249344
MD5:	fba295e75a2c2fd0f205da0a14b76859
SHA1:	5f26b9001c0482f1018ce153e58caf61e80ecb8f
SHA256:	86ed9f7125ae452d28f9eabd11f5cc9bef747fb751a5aa1283a0ab24952cf508
SHA512:	0570f038d1ee0892ff66aa47b8b8ceca5790f467188b16a5c968f0bfc2891882b3441d090db1b586861a6a84756d2dbcf54e9360970638d5ae987477f012e283
SSDEEP:	3072:NPl4G474Poo9JkbXjEU+QVUjsbCeg2SbAe4ZQeAnuTCt2xbzmyoaq6rcYsc8kOeu:NPW745r2XgUsjsbOZnjZ2x4
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L....b.f.................v...T.....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
Abnormal high CPU Usage	System Summary	System Time Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Checks if the current process is being debugged	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Archive Collected Data
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_103__Installer.e_543e9b5bf1d99de7872b8c34a610dcac6fe4_9792b471_b8d55630-627c-4954-8814-5f2f94326423\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_103__Installer.e_543e9b5bf1d99de7872b8c34a610dcac6fe4_9792b471_b8d55630-627c-4954-8814-5f2f94326423\Report.wer
Category:	dropped
Dump:	Report.wer.16.dr
ID:	dr_6
Target ID:	16
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.2517547462549623
Encrypted:	false
Ssdeep:	192:RqYfuOi2UN0BU/AjZTD4yX66zuiFAZ24IO8w:YYfuOi29BU/AjWyX/zuiFAY4IO8w
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5186.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Jul 2 17:28:06 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER5186.tmp.dmp
Category:	dropped
Dump:	WER5186.tmp.dmp.16.dr
ID:	dr_3
Target ID:	16
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Tue Jul 2 17:28:06 2024, 0x1205a4 type
Entropy:	3.5682967330200746
Encrypted:	false
Ssdeep:	3072:MhwFpka8T4uEqxmeLTg/NyHm1vUaGyDe3UF6:qwYa8T4OpTg/NyHUVhK+6
Size:	353771
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER535C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER535C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER535C.tmp.WERInternalMetadata.xml.16.dr
ID:	dr_4
Target ID:	16
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.696449317246591
Encrypted:	false
Ssdeep:	192:R6l7wVeJyJx67p6YWGSU+4kgmfZYAVbprZ89bpJsfpDm:R6lXJyf6N6Y3SUKgmfSAVwpifw
Size:	8434
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER537C.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER537C.tmp.xml
Category:	dropped
Dump:	WER537C.tmp.xml.16.dr
ID:	dr_5
Target ID:	16
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.457823322209864
Encrypted:	false
Ssdeep:	48:cvIwWl8zsmnNJg77aI9H2zNWpW8VY8Ym8M4JMrtBFK+q8vqtHPAS88WSycd:uIjfmnnI7Q47V4JtK+P7Nycd
Size:	4765
Whitelisted:	false
Reputation:	low

C:\Users\Public\Downloads\ind.jpg

data

dropped

Details

File:	C:\Users\Public\Downloads\ind.jpg
Category:	dropped
Dump:	ind.jpg.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\103__Installer.exe
Type:	data
Entropy:	7.604678512981776
Encrypted:	false
Ssdeep:	1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp
Category:	dropped
Dump:	103[1].ccp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\103__Installer.exe
Type:	data
Entropy:	7.604678512981776
Encrypted:	false
Ssdeep:	1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.16.dr
ID:	dr_2
Target ID:	16
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.296059831234597
Encrypted:	false
Ssdeep:	6144:U41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+wW/mBMZJh1Vjt:J1/YCW2AoQ0Nid/wMHrVp
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\103__Installer.exe

"C:\Users\user\Desktop\103__Installer.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7572
Target ID:	0
Parent PID:	3968
Name:	103__Installer.exe
Path:	C:\Users\user\Desktop\103__Installer.exe
Commandline:	"C:\Users\user\Desktop\103__Installer.exe"
Size:	249344
MD5:	FBA295E75A2C2FD0F205DA0A14B76859
Time:	13:24:42
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb70000
Modulesize:	270336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 2096

Details

Is windows:	true
Is dropped:	false
PID:	4588
Target ID:	16
Parent PID:	7572
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 2096
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	13:28:05
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x2b0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

59.56.110.103

Details

Name:	59.56.110.103
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\103__Installer.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://upx.sf.net

unknown

http://guanlix.cn:881/103.ccp

91.208.240.157

Details

Name:	http://guanlix.cn:881/103.ccp
IP:	91.208.240.157
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\103__Installer.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://guanlix.cn:881/103.ccpq

unknown

Domains

Name

Malicious

guanlix.cn

91.208.240.157

Details

Name:	guanlix.cn
IP:	91.208.240.157
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

59.56.110.103

unknown

China

Details

IP:	59.56.110.103
TargetID:	0
Current Path:	C:\Users\user\Desktop\103__Installer.exe
Country:	China
Countrycode:	CHN
ASN number:	133774
ASN name:	CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

91.208.240.157

guanlix.cn

unknown

Details

IP:	91.208.240.157
TargetID:	0
Current Path:	C:\Users\user\Desktop\103__Installer.exe
ASN number:	139659
ASN name:	LUCID-AS-APLUCIDACLOUDLIMITEDHK
Private:	false
Domain:	guanlix.cn

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port